The hacking of the Office of Personnel Management adds to an already long list of companies and government agencies whose computer systems have been breached, exposing the personal data of millions of people.
The breach is just the latest evidence that it is nearly impossible to keep personal information safe from hackers. Chances are, your personal data was stolen well before the latest breach.
With that depressing knowledge in hand, there are a few steps consumers can take to make it harder — albeit not impossible — for hackers to exploit your data. There may be a trade-off in convenience, but experts say the alternative is a lot worse.
-
1. Turn on multifactor authentication.
If a service offers added security features like multifactor authentication, turn them on. When you enter your password, you will receive a message, usually via text, with a one-time code that you must enter before you can log in.
Most banking sites and popular sites like Google, Apple, Twitter and Facebook offer two-factor authentication, and will ask for a second one-time code anytime you log in from a new computer.
-
2. Change your passwords again.
Yes, you need to change passwords again and they have to be passwords you have never used before. They need to be long and not words you would find in a dictionary. The first thing hackers do when trying to break into a site is use computer programs that can test every word in the dictionary.
It may sound counterintuitive, but the truly paranoid write down their passwords.
Security experts advise creating anagrams based on song lyrics, movie quotations or sayings, and using symbols or numbers and alternating lower and upper cases to make the password more difficult. For instance, the “Casablanca” movie quotation “Of all the gin joints, in all the towns, in all the world, she walks into mine” becomes OaTgJ,iAtT,iAtW,sWiM.
Use stronger, longer passwords for sites that contain the most critical information, like bank or email accounts.
-
3. Forget about security questions.
Sites will often use security questions such as “What was the name of your first school?” or “What is your mother’s maiden name?” to recover a user’s account if the password is forgotten.
These questions are problematic because the Internet has made public record searches a snap and the answers are usually easy to guess.
In a recent study, security researchers at Google found that with a single guess, an attacker would have a 19.7 percent chance of duplicating an English-speaking user’s answer to the question, “What is your favorite food?” (It was pizza.)
With 10 tries, an attacker would have a 39 percent chance of guessing a Korean-speaking user’s answer to the question, “What is your city of birth?” and a 43 percent chance of guessing the favorite food.
Jonathan Zdziarski, a computer forensics expert, says he often answers these questions with an alternate password. If a site offers only multiple choice answers, or requires only short passwords, he won’t use it.
“You can tell a lot about the security of a site just by looking at the questions they’ll ask you,” he said.
-
4. Monitor your credit.
Typically a service will offer one year of free credit monitoring if it has been breached. But be aware that attackers do not dispose of your Social Security number, birth date or password a year after they acquire it.
It is better to monitor your credit aggressively at all times through free services like AnnualCreditReport.com.
-
5. Freeze your credit.
In the attack at the I.R.S., a credit freeze may not have thwarted thieves from filing for false tax refunds, but it could have stopped them from pulling tax transcripts or opening other accounts.
To freeze your credit, call Equifax, Experian or TransUnion and ask to have your account frozen. The credit agency will mail a one-time PIN or password to unfreeze your account later.
The fee to freeze and refreeze credit varies by state. If you plan on applying for a new job, renting an apartment or buying insurance, you will have to thaw a freeze temporarily and pay a fee to refreeze the account.
But if you have been a victim of identity theft, and can show a police report proving as much, most states will waive the freeze fee.